Microsoft Fixes Exploited Windows Task Scheduler Bug

Microsoft has released its regularly scheduled patches for November, which include fixes for more than 90 flaws. Two of the vulnerabilities in today’s security updates are being exploited by threat actors.

By The Numbers:

• 92 CVEs overall are part of Microsoft’s November security updates

• Of these, 4 flaws are critical severity, and 2 are being exploited in the wild

• November’s Patch Tuesday puts Microsoft on track for 949 CVEs addressed so far this year - its second-largest year for patches (even before next month’s December Patch Tuesday), according to Trend Micro’s Zero Day Initiative

Flaws You Should Pay Attention To: One of the exploited bugs is an important-severity flaw (ranking 8.8 out of 10 on the CVSS scale) in Windows Task Scheduler (CVE-2024-49039). CVE-2024-49039 could enable elevation of privilege, and Microsoft said attackers that exploit this flaw successfully can execute RPC functions that are restricted to privileged accounts only. Vlad Stolyarov and Bahare Sabouri with Google's Threat Analysis Group were credited with finding the bug. 

“To exploit this vulnerability, an authenticated attacker would need to run a specially crafted application on the target system exploit the vulnerability to elevate their privileges to a Medium Integrity Level,” according to Microsoft’s security advisory for the flaw. “In this case, a successful attack could be performed from a low privilege AppContainer. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment.”

Microsoft fixed another important-severity flaw that’s being exploited in attacks: An NTLM hash disclosure spoofing vulnerability (CVE-2024-43451), which discloses a user’s NTLMv2 hash to attackers that could then use this to authenticate as the user. Unlike CVE-2024-49039, Microsoft said that this vulnerability has already been publicly disclosed.

“Minimal interaction with a malicious file by a user such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing could trigger this vulnerability,” according to Microsoft’s advisory. Microsoft said that Israel Yeshurun with ClearSky Cyber Security found this flaw. 

Other noteworthy bugs in this month’s update include a remote code execution flaw in Windows Kerberos (CVE-2024-43639). According to Microsoft, “an unauthenticated attacker could use a specially crafted application to leverage a cryptographic protocol vulnerability in Windows Kerberos to perform remote code execution against the target.” 

Another remote code execution flaw in .NET and Visual Studio (CVE-2024-43498) could be exploited by remote, unauthenticated attackers that are able to send specially crafted requests to vulnerable .NET web apps, or load a specially crafted file into a vulnerable desktop app, Microsoft said.

The Upshot: Microsoft didn’t give further details about the exploitation of CVE-2024-49039 and CVE-2024-43451, so we’ll have to wait to get a better idea of how widespread the attacks are and more. Regardless, it’s important to prioritize vulnerabilities that threat actors are targeting, so these ones should be at the top of the patching list.